rpms/selinux-policy/F-9 policy-20071130.patch, 1.129, 1.130 selinux-policy.spec, 1.655, 1.656
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Apr 23 20:30:08 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4760
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Wed Apr 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-39
- Change etc files to config files to allow users to read them
policy-20071130.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.129 -r 1.130 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.129
retrieving revision 1.130
diff -u -r1.129 -r1.130
--- policy-20071130.patch 22 Apr 2008 20:06:57 -0000 1.129
+++ policy-20071130.patch 23 Apr 2008 20:29:30 -0000 1.130
@@ -8,106 +8,6 @@
- Label /proc/kallsyms with system_map_t.
- 64-bit capabilities from Stephen Smalley.
- Labeled networking peer object class updates.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
-
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
-
- # parse-rolemap modulename,outputfile
- define parse-rolemap
-- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+ echo "" >> $2
-+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
-
- # perrole-expansion modulename,outputfile
- define perrole-expansion
-- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-- $(call parse-rolemap,$1,$2)
-- $(verbose) echo "')" >> $2
--
-- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-- $(call parse-rolemap-compat,$1,$2)
-- $(verbose) echo "')" >> $2
-+ echo "No longer doing perrole-expansion"
-+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+# $(call parse-rolemap,$1,$2)
-+# $(verbose) echo "')" >> $2
-+
-+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+# $(call parse-rolemap-compat,$1,$2)
-+# $(verbose) echo "')" >> $2
- endef
-
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- @mkdir -p $(appdir)/users
- $(verbose) $(INSTALL) -m 644 $^ $@
-
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+ @mkdir -p $(appdir)
-+ $(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- @mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
-- $(call perrole-expansion,$(basename $(@F)),$@.role)
-- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call perrole-expansion,$(basename $(@F)),$@.role)
-+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- $(verbose) $(genperm) $(avs) $(secclass) > $@
-- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
-
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- $(verbose) echo "" > $@
-- $(call parse-rolemap,base,$@)
-+# $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- @echo "Loading $(NAME) $(loadpath)"
- $(verbose) $(LOADPOLICY) -q $(loadpath)
- @touch $(tmpdir)/load
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-21 11:02:47.859787000 -0400
@@ -791,6 +691,62 @@
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500
++++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++ @mkdir -p $(appdir)
++ $(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500
+++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-21 11:02:47.931714000 -0400
@@ -2577,6 +2533,109 @@
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400
+@@ -55,7 +55,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++ allow $1_sudo_t self:key manage_key_perms;
[...2041 lines suppressed...]
-@@ -4778,6 +5011,14 @@
+@@ -4778,6 +5017,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -33691,7 +33916,7 @@
')
########################################
-@@ -4839,6 +5080,26 @@
+@@ -4839,6 +5086,26 @@
########################################
## <summary>
@@ -33718,7 +33943,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5120,25 @@
+@@ -4859,6 +5126,25 @@
########################################
## <summary>
@@ -33744,7 +33969,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5159,26 @@
+@@ -4879,6 +5165,26 @@
########################################
## <summary>
@@ -33771,7 +33996,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5415,7 @@
+@@ -5115,7 +5421,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -33780,7 +34005,7 @@
')
files_search_home($1)
-@@ -5304,6 +5604,63 @@
+@@ -5304,6 +5610,63 @@
########################################
## <summary>
@@ -33844,7 +34069,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,7 +5866,7 @@
+@@ -5509,7 +5872,7 @@
########################################
## <summary>
@@ -33853,7 +34078,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,18 +5874,17 @@
+@@ -5517,18 +5880,17 @@
## </summary>
## </param>
#
@@ -33876,7 +34101,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5536,17 +5892,17 @@
+@@ -5536,17 +5898,17 @@
## </summary>
## </param>
#
@@ -33898,7 +34123,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5554,12 +5910,49 @@
+@@ -5554,18 +5916,55 @@
## </summary>
## </param>
#
@@ -33910,11 +34135,13 @@
')
- read_files_pattern($1,userdomain,userdomain)
+- kernel_search_proc($1)
+ allow $1 user_ttynode:chr_file rw_term_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of all user domains.
+## Do not audit attempts to use unprivileged
+## user ttys.
+## </summary>
@@ -33948,10 +34175,16 @@
+ ')
+
+ ps_process_pattern($1,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -5674,6 +6067,42 @@
++ kernel_search_proc($1)
++')
++
++########################################
++## <summary>
++## Get the attributes of all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5674,6 +6073,42 @@
########################################
## <summary>
@@ -33994,7 +34227,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6133,370 @@
+@@ -5704,3 +6139,370 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -35020,7 +35253,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-21 11:02:50.611505000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-23 10:09:03.411358000 -0400
@@ -0,0 +1,174 @@
+
+policy_module(virt,1.0.0)
@@ -35058,7 +35291,7 @@
+files_type(virt_var_lib_t)
+
+type virt_etc_t;
-+files_type(virt_etc_t)
++files_config_file(virt_etc_t)
+
+type virt_etc_rw_t;
+files_type(virt_etc_rw_t)
@@ -35867,3 +36100,47 @@
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.655
retrieving revision 1.656
diff -u -r1.655 -r1.656
--- selinux-policy.spec 22 Apr 2008 19:16:28 -0000 1.655
+++ selinux-policy.spec 23 Apr 2008 20:29:30 -0000 1.656
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,8 +385,8 @@
%endif
%changelog
-* Tue Apr 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-38
-- Bump for release
+* Wed Apr 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-39
+- Change etc files to config files to allow users to read them
* Fri Apr 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-37
- Lots of fixes for confined domains on NFS_t homedir
More information about the fedora-extras-commits
mailing list